<a href='https://github.com/angular/angular.js/edit/v1.8.x/docs/content/error/$compile/nodomevents.ngdoc?message=docs(error%2Fnodomevents)%3A%20describe%20your%20change...' class='improve-docs btn btn-primary'><i class="glyphicon glyphicon-edit">&nbsp;</i>Improve this Doc</a>


<h1>Error: $compile:nodomevents
  <div><span class='hint'>Event Attribute/Property Binding</span></div>
</h1>

<div>
    <pre class="minerr-errmsg" error-display="Interpolations for HTML DOM event attributes are disallowed">Interpolations for HTML DOM event attributes are disallowed</pre>
</div>

<h2 id="description">Description</h2>
<div class="description">
  <p>This error occurs when one tries to create a binding for event handler attributes or properties like <code>onclick</code>, <code>onload</code>, <code>onsubmit</code>, etc.</p>
<p>There is no practical value in binding to these attributes/properties and doing so only exposes your application to security vulnerabilities like XSS.
For these reasons binding to event handler attributes and properties (<code>formaction</code> and all starting with <code>on</code>) is not supported.</p>
<p>An example code that would allow XSS vulnerability by evaluating user input in the window context could look like this:</p>
<pre><code>&lt;input ng-model=&quot;username&quot;&gt;
&lt;div onclick=&quot;{{username}}&quot;&gt;click me&lt;/div&gt;
</code></pre>
<p>Since the <code>onclick</code> evaluates the value as JavaScript code in the window context, setting the <code>username</code> model to a value like <code>javascript:alert(&#39;PWND&#39;)</code> would result in script injection when the <code>div</code> is clicked.</p>
<p>Please use the <code>ng-*</code> or <code>ng-on-*</code> versions instead (such as <code>ng-click</code> or <code>ng-on-click</code> rather than <code>onclick</code>).</p>

</div>


